Hi All,
I have a query that gives me a result in a name value format in a table.
Basically I work with log lines and I'm counting how many times one field has a discreet value.
Log lines can be e.g.:
errorid=1 hostname=a value=1
errorid=1 hostname=b value=3
errorid=1 hostname=a value=2
errorid=1 hostname=c value=1
errorid=2 hostname=c value=1
I'm able to create a query like:
errorid=*| stats count(eval(errorid='1') by hostname as Host
or
errorid=* | stats count(eval(errorid='1') by value as Value
But what I'd need that get the result from the first query and run the second against that subset.
So I'd like to find out that how many error messages have value X on a given host and get this for all hosts that appear in these kind of messages.
Any ideas?
... View more